AWS Silent Alternatives for Stealthy WhoAmI

By /

Listen to this Post

Featured Image
When performing reconnaissance in AWS, the `sts:GetCallerIdentity` API call is commonly used to identify the current IAM principal. However, this action logs to CloudTrail, leaving detectable traces. Security researcher Nick Frichette has identified alternative AWS API calls that do not log to CloudTrail and lack support for Data Events logging, making them ideal for stealthy operations.

Silent AWS WhoAmI Alternatives:

1. `iam:ListAccessKeys` – Retrieves access keys without CloudTrail logging.

2. `iam:ListUsers` – Enumerates IAM users silently.

3. `iam:GetUser` – Fetches IAM user details without logs.

4. `iam:ListRoles` – Lists roles without triggering CloudTrail.

🔗 Reference: WhoAmI – Get Principal Name From Keys – Hacking The Cloud

You Should Know:

Practical AWS CLI Commands for Silent Recon

1. Check Current IAM User Without Logs

aws iam get-user --output text --query 'User.UserName'

Alternative:

aws iam list-access-keys --output text --query 'AccessKeyMetadata[bash].UserName'

2. List All IAM Users (Stealthy Enumeration)

aws iam list-users --query 'Users[].UserName' --output text

3. Extract Role Names Without CloudTrail Logging

aws iam list-roles --query 'Roles[].RoleName' --output text

4. Verify API Call Logging Status

aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=GetCallerIdentity

(If empty, the call didn’t log.)

5. Cross-Account Silent Recon

aws sts assume-role --role-arn arn:aws:iam::TARGET_ACCOUNT:role/Admin --role-session-name StealthScan

(Then use `iam:ListUsers` in the assumed role.)

What Undercode Say:

AWS stealth operations require avoiding CloudTrail detection. While `sts:GetCallerIdentity` is standard, using `iam:ListAccessKeys` or `iam:GetUser` provides silent alternatives. For red teams, this means longer persistence without triggering alerts. Defenders should monitor unusual `iam:List` API spikes.

Expected Output:

admin-user 
backup-role 
lambda-executor

Prediction:

As AWS enhances detection capabilities, attackers will increasingly abuse less-monitored APIs like `iam:List` for stealth. Expect AWS to eventually log these by default, forcing new evasion techniques.

🔗 Further Reading: AWS Stealth Recon Tactics

IT/Security Reporter URL:

Reported By: Nick Frichette – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: